471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5

Analysis

max time kernel
44s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe
Size

3.3MB
MD5

7cecb5db02e0bb266129e849f42e3499
SHA1

50d638d25f22c8199a3cb552ee985cdf9c0c21be
SHA256

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5
SHA512

37082ffff09ac0eb13fad4cd10ba292e67868f09fb6e609b6d1338789e7af71b44f675e39c656b7e03436008931109fae8579b381182c70aa32c55d2c347ef88
SSDEEP

49152:kXEPcE6MUj3cbEMxh1FuLZ3ggxNwvCUAT+0862XysaffpEecjtXHWlQ2JgoY9fNA:iE6MVEMn1cLWgMKUYVsABYoaoY5yia

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpTuneupPro.exesystweakasp.exesystweakasp.tmpaspsetup.exeaspsetup.tmp

pid	process
1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1236	TuneupPro.exe
3432	systweakasp.exe
4080	systweakasp.tmp
3032	aspsetup.exe
3412	aspsetup.tmp

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Systweak\\Advanced System Protector\\aspcontexthelper64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TuneupPro.exesystweakasp.tmpaspsetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	TuneupPro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	systweakasp.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	aspsetup.tmp

Loads dropped DLL 11 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpTuneupPro.exesystweakasp.tmpaspsetup.tmpregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1236	TuneupPro.exe
1236	TuneupPro.exe
4080	systweakasp.tmp
4080	systweakasp.tmp
4080	systweakasp.tmp
3412	aspsetup.tmp
3928	regsvr32.exe
4648	regsvr32.exe
4756	regsvr32.exe
3224	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

aspsetup.tmp471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp

description	ioc	process
File created	C:\Windows\system32\sasnative64.exe	aspsetup.tmp
File opened for modification	C:\Windows\system32\sasnative64.exe	aspsetup.tmp
File created	C:\Windows\system32\roboot64.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Windows\system32\roboot64.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp

Drops file in Program Files directory 64 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpaspsetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Tuneup Pro\is-3H275.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-EQ3QD.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-SL1EC.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-GDCJI.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-6LPG6.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\CleanSchedule.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JFTEB.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-JPVUS.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\libyara.NET.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-829J6.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-80096.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-DMILA.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\isxdl.dll	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-8Q2RC.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-0VRE1.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-LDRRI.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\unins000.dat	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-7064J.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-AOKIK.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-0A447.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-C4I5B.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Restartexp.exe	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-3SUEB.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-S97Q3.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-LP2S1.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-5BU48.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-J15RO.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\AppResource.dll	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Interop.IWshRuntimeLibrary.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-4NMPV.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\scandll.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-U2UQ1.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-T1L9H.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-V7FPT.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-75DIU.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-4D67C.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-D0F3L.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.Formats.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-FLIKQ.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-PRUOA.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-4DGG9.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Xceed.FileSystem.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-JVMLQ.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\unins000.dat	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-RJV51.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-K0QN2.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-2P93Q.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-OAOUH.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\aspsys.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\unins000.msg	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-MGNVT.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-6BLBI.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-GIP98.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-3HGIJ.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-K7LFK.tmp	aspsetup.tmp
File opened for modification	C:\Program Files (x86)\Advanced System Protector\Microsoft.Win32.TaskScheduler.DLL	aspsetup.tmp
File created	C:\Program Files (x86)\Advanced System Protector\is-IKR6R.tmp	aspsetup.tmp
File created	C:\Program Files (x86)\Tuneup Pro\is-S72IU.tmp	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp

Drops file in Windows directory 2 IoCs

Processes:

TuneupPro.exe

description	ioc	process
File created	C:\Windows\Tasks\Tuneup Pro_UPDATES.job	TuneupPro.exe
File created	C:\Windows\Tasks\Tuneup Pro_DEFAULT.job	TuneupPro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2980 schtasks.exe

pid	process
2980	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1376 taskkill.exe
3996 taskkill.exe
4836 taskkill.exe
2672 taskkill.exe
1084 taskkill.exe
552 taskkill.exe

pid	process
1376	taskkill.exe
3996	taskkill.exe
4836	taskkill.exe
2672	taskkill.exe
1084	taskkill.exe
552	taskkill.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Advanced System Protector\ = "{00212D92-C5D8-4ff4-AE50-B20F0F85C40A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A} = "Scan with Advanced System Protector"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00212D92-C5D8-4ff4-AE50-B20F0F85C40A} = "Scan with Advanced System Protector"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced System Protector	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpmsedge.exemsedge.exeaspsetup.tmp

pid	process
1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
3260	msedge.exe
3260	msedge.exe
3444	msedge.exe
3444	msedge.exe
3412	aspsetup.tmp
3412	aspsetup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3444 msedge.exe
3444 msedge.exe
3444 msedge.exe
3444 msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Conhost.exeschtasks.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4836	Conhost.exe
Token: SeDebugPrivilege	2672	schtasks.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	552	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpTuneupPro.exemsedge.exeaspsetup.tmp

pid	process
1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
1236	TuneupPro.exe
1236	TuneupPro.exe
3444	msedge.exe
3444	msedge.exe
3412	aspsetup.tmp

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

TuneupPro.exe

pid process

1236 TuneupPro.exe
1236 TuneupPro.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

TuneupPro.exe

pid process

1236 TuneupPro.exe
1236 TuneupPro.exe
1236 TuneupPro.exe
1236 TuneupPro.exe
1236 TuneupPro.exe

pid	process
1236	TuneupPro.exe
1236	TuneupPro.exe

pid	process
1236	TuneupPro.exe
1236	TuneupPro.exe
1236	TuneupPro.exe
1236	TuneupPro.exe
1236	TuneupPro.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmpmsedge.exe

description	pid	process	target process
PID 1612 wrote to memory of 1584	1612	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1612 wrote to memory of 1584	1612	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1612 wrote to memory of 1584	1612	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
PID 1584 wrote to memory of 2064	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1584 wrote to memory of 2064	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1584 wrote to memory of 2064	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	regsvr32.exe
PID 1584 wrote to memory of 3444	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	msedge.exe
PID 1584 wrote to memory of 3444	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	msedge.exe
PID 1584 wrote to memory of 1236	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 1584 wrote to memory of 1236	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 1584 wrote to memory of 1236	1584	471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp	TuneupPro.exe
PID 3444 wrote to memory of 4464	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 4464	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 756	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3260	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3260	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1440	3444	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe
"C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\is-PF1FA.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PF1FA.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp" /SL5="$D01EE,2957012,148992,C:\Users\Admin\AppData\Local\Temp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\jscript.dll"
3⤵
- Modifies registry class
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.tuneuppro.com/tupp/afterinstall.asp?utm_content=AfterInstall&utm_term=Setup&page=install&&LangID=en
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9840146f8,0x7ff984014708,0x7ff984014718
4⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
4⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
4⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 /prefetch:8
4⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 /prefetch:8
4⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
4⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
4⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
4⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
4⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:5856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x118,0x10c,0x11c,0x7ff6a2e65460,0x7ff6a2e65470,0x7ff6a2e65480
5⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15610222246966578805,10659334802560881285,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3768 /prefetch:2
4⤵
PID:2116

C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
"C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
4⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\AppData\Local\Temp\is-IDHRN.tmp\systweakasp.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IDHRN.tmp\systweakasp.tmp" /SL5="$601A0,193643,132096,C:\Program Files (x86)\Tuneup Pro\systweakasp.exe" /verysilent
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ASP" /tr "\"C:\Program Files (x86)\Tuneup Pro\systweakasp.exe\" /verysilent" /sc onlogon /RL Highest /F
6⤵
- Creates scheduled task(s)
PID:2980

C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
"C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
6⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\AppData\Local\Temp\is-ODO3O.tmp\aspsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ODO3O.tmp\aspsetup.tmp" /SL5="$20386,9529906,134144,C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe" /verysilent
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3412

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "systemprotector.exe"
8⤵
- Kills process with taskkill
PID:4836

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "advancedsystemprotector.exe"
8⤵
- Kills process with taskkill
PID:2672

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "aspmanager.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "asp.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "BrowserCleaner.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im "ASPNotifier.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:3928

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
8⤵
- Loads dropped DLL
PID:4756

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll"
9⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector" /f
8⤵
PID:1332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_101" /f
8⤵
PID:4496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_startup" /f
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "Advanced System Protector_runonce" /f
8⤵
PID:1740

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "systweakasp" /f
8⤵
PID:1328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier" /f
8⤵
PID:3676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_startup" /f
8⤵
PID:4392

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn "AdvancedSystemProtectorNotifier_trigger" /f
8⤵
PID:5188

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
8⤵
PID:5236

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" -silentscan
8⤵
PID:5984

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
"C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe" createschedule
8⤵
PID:6072

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
9⤵
PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
"C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe" startup neweventtrigger
1⤵
PID:5576

C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
"C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe" loadvalues
2⤵
PID:5420

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b0 0x41c
1⤵
PID:5976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
Filesize
635KB

MD5
1b954641f9f3a97720e9de3a86caa363

SHA1
e3346c0b212a84a15d7087e5a17b242cc02f6439

SHA256
1ab446046d16c7407bdf9e75693d6e8753a03e3d0b100695cff48fb2941c5a82

SHA512
77729f71da750c82a38c32cd9a815116f6ed56967ecd518a9f72e79c15543d0f9e3b05c79482f1647d9918b43298d5d9f88b87e65b748faa5237e4843c9c52e0

Download Submit
C:\Program Files (x86)\Advanced System Protector\ASPNotifier.exe
Filesize
635KB

MD5
1b954641f9f3a97720e9de3a86caa363

SHA1
e3346c0b212a84a15d7087e5a17b242cc02f6439

SHA256
1ab446046d16c7407bdf9e75693d6e8753a03e3d0b100695cff48fb2941c5a82

SHA512
77729f71da750c82a38c32cd9a815116f6ed56967ecd518a9f72e79c15543d0f9e3b05c79482f1647d9918b43298d5d9f88b87e65b748faa5237e4843c9c52e0

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe
Filesize
8.0MB

MD5
33aff12b5fb549cd3d252ad4319ba8db

SHA1
51ce2a5ff58b722a56cb6b11d8812d8d56af7e8d

SHA256
a677c7f04a7a22f3beae64ed1624771a8604c95b8bbe3143e6b5ed18430f5452

SHA512
55badecf3a6ca7efd62b03fe4d6ece68b85e211b73bb87b7c6610b253af6b6f14dbe17feb9ea111ec4b2b4cf56952d715db20d8290a447b114490a762fed780f

Download Submit
C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe.config
Filesize
9KB

MD5
a284ffaae3af04444474a18803ee2aa3

SHA1
ee173016d79f8031960edecba19160c928e3492e

SHA256
4931f6936709ad3012b8838b3e619bb8e43785c001ec2974a2ecb8041afe4c96

SHA512
f52a13cbcc6878bc510e3010b2d532c7d26dc237555cabcf8daad26be0777ffc3336174a67bba60b33d4708241a90d7d2be86e9cc319f07f39056664f5b6f920

Download Submit
C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll
Filesize
1.1MB

MD5
890d00a3ee9d5be5d3a4248a8c529df0

SHA1
d094cace0566e6a9548b8b8841dffecf4ed2b0a3

SHA256
6fdb54429dc63541741676f065cbb903af0fc63f6d9d9bd2915b9f5f94853a62

SHA512
c75cdaf2b32d32e7303db78dbe5d78775ad9cca566ecd0fc6e503845941d172234d6b1600919a058fe2ebaa7cb3e5b64d28bcdf02285cfe5e0a7eb29dfc4f6f5

Download Submit
C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll
Filesize
1.1MB

MD5
890d00a3ee9d5be5d3a4248a8c529df0

SHA1
d094cace0566e6a9548b8b8841dffecf4ed2b0a3

SHA256
6fdb54429dc63541741676f065cbb903af0fc63f6d9d9bd2915b9f5f94853a62

SHA512
c75cdaf2b32d32e7303db78dbe5d78775ad9cca566ecd0fc6e503845941d172234d6b1600919a058fe2ebaa7cb3e5b64d28bcdf02285cfe5e0a7eb29dfc4f6f5

Download Submit
C:\Program Files (x86)\Advanced System Protector\SQLite.Interop.dll
Filesize
1.1MB

MD5
890d00a3ee9d5be5d3a4248a8c529df0

SHA1
d094cace0566e6a9548b8b8841dffecf4ed2b0a3

SHA256
6fdb54429dc63541741676f065cbb903af0fc63f6d9d9bd2915b9f5f94853a62

SHA512
c75cdaf2b32d32e7303db78dbe5d78775ad9cca566ecd0fc6e503845941d172234d6b1600919a058fe2ebaa7cb3e5b64d28bcdf02285cfe5e0a7eb29dfc4f6f5

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\System.Data.SQLite.dll
Filesize
373KB

MD5
e057bfd75665a9326919008b08870acf

SHA1
ccefd28d344663184a8dd9271d9266dee4d6d67b

SHA256
c3d0211dbc8897b4d04f063f598ac2a14977b7d8ee9d4326dd41eb79d3a8d648

SHA512
68690123f9e75ba5975e2ad701729c012cda0c735d9dece9618576bf500d57f64a36f7f3528ce89fd41db63974e3a3c568ec3673b5711a9d35eec280ef3edc55

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\Xceed.Compression.dll
Filesize
118KB

MD5
77c58c931770b18374fa1776b5368058

SHA1
c67cbaf0e2c77f2d0f6763577c92a77fa63575d9

SHA256
8dc50dbcfd15ab8566caef5c1c6596d1eb194e9d08ef438cf171cd322db2dd6b

SHA512
36d8fa4eefd32d1052e136738fe1dccf1faebf6c499477236a39cf64d534cfb18335f9f7a3e3bdb19fc15486f729e0c957fcc05491aac7a02205a3e001f2ac62

Download Submit
C:\Program Files (x86)\Advanced System Protector\aspsys.dll
Filesize
974KB

MD5
d9652b5da10ad056b64ce262e2576757

SHA1
3e95f7211eb790e2534b25cbe2376c4f2953d254

SHA256
ebd47fa0dae95ce25650817cc0cdeb793a6870fb1e1c681595c39b93581bfcff

SHA512
680f49f502fc83f0ce39be60819b5680540a76cf91e63c8ca42dce8bfa4da82bbbd4f78501037180e2f286e8adf8d3c42baaa377d45ddc254fd9ca79b86ce490

Download Submit
C:\Program Files (x86)\Advanced System Protector\aspsys.dll
Filesize
974KB

MD5
d9652b5da10ad056b64ce262e2576757

SHA1
3e95f7211eb790e2534b25cbe2376c4f2953d254

SHA256
ebd47fa0dae95ce25650817cc0cdeb793a6870fb1e1c681595c39b93581bfcff

SHA512
680f49f502fc83f0ce39be60819b5680540a76cf91e63c8ca42dce8bfa4da82bbbd4f78501037180e2f286e8adf8d3c42baaa377d45ddc254fd9ca79b86ce490

Download Submit
C:\Program Files (x86)\Advanced System Protector\aspsys.dll
Filesize
974KB

MD5
d9652b5da10ad056b64ce262e2576757

SHA1
3e95f7211eb790e2534b25cbe2376c4f2953d254

SHA256
ebd47fa0dae95ce25650817cc0cdeb793a6870fb1e1c681595c39b93581bfcff

SHA512
680f49f502fc83f0ce39be60819b5680540a76cf91e63c8ca42dce8bfa4da82bbbd4f78501037180e2f286e8adf8d3c42baaa377d45ddc254fd9ca79b86ce490

Download Submit
C:\Program Files (x86)\Advanced System Protector\notifierlib.dll
Filesize
633KB

MD5
1163a97a57b8b7d574727b94621ac65c

SHA1
ffd91aff4b4a6efef8c5ef9a43dc9b64fe84838f

SHA256
ce6e571d7f07a019c4ecd92d6a7b3b7ab6f6b075bd523610a7ceef7db84e7347

SHA512
211630563429a7b233f1590c24c9ffaf60440e908dc5a0231e116706afcec914e43cbd26fcd10097b7332cdba3765ee70f00f8ed3de1166626acf42ebe43d0ee

Download Submit
C:\Program Files (x86)\Tuneup Pro\FileList.rcp
Filesize
13KB

MD5
856e0fd8e725e175568c9750045829ee

SHA1
983678d82e63f181d2d77f42d7fde27eab317432

SHA256
171099dece5d940339136025019c7cbcb5b6959b40e1eccddb318db419f69442

SHA512
ffa7f5a67e91368f1651976843c40fe670882f0ef3b20f466f05bd1728844d31f489755a4f6a7f502dfd03a31053140a0d1a35c2ada29f823b17e82519ab382d

Download Submit
C:\Program Files (x86)\Tuneup Pro\RegList.rcp
Filesize
89KB

MD5
5e301389550a01b7d10b5666a327624c

SHA1
0000d901de7debd1ef579ddf64df92b932912224

SHA256
2b7250211f050bd11bf7ab5d296aba46ccb88875b8bf4b8154a382277144c36e

SHA512
d58d1eda01a77985beaec96a006b2e7708f6c6c6553a474f39a2cd1c858aa71c7eca23dbc983fdad2d996fc296ffbc554eac1e5869d96944733ee574d7a6dbab

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\TuneupPro.exe
Filesize
7.3MB

MD5
be2ce71fc87a375f96665b980ec59f7b

SHA1
5ecad41aee09c73f8f7bf1d8d49bea7a222fff85

SHA256
88967773ef715fa98dc87a529d8d0e2f9d3e4783fab33e30f2df88df2a81bc76

SHA512
1a5e44396114afd5ad4b51eeba4ec4a08c07b8664836acc126c6c255ed023e8cc5d7fa9104bde8c703d45b45d4ac02cb6e5983f26cd55efec13f5ba723918e05

Download Submit
C:\Program Files (x86)\Tuneup Pro\XmlLite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Program Files (x86)\Tuneup Pro\eng_rcp.ini
Filesize
83KB

MD5
bbf623a44f466bf544d2418f4473a7e4

SHA1
684e3b0396a143d23f64c3eda59f6b29291cf967

SHA256
115fa830c0087b531655bc2974522d924405f718289c57769e9aae44c7b116d5

SHA512
e6d3a359f63c34d3457e8c2c56addf8d90cf7ac7e99db6545fc6a3f713fb4b0f631d6aa75da7064effdb4df6001aa7a65e06a010cbeaf561cf865b4c3dc0670e

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\isxdl.dll
Filesize
153KB

MD5
16429d91b2a28595e3bb5f6a48faa705

SHA1
aa195a50f21cf8935c7031543215151214c6ef4b

SHA256
1b141a14ed518bf01f847d893e282b831d0f0cee87919bc2e98e54a3c80f5471

SHA512
a6f0ba9812c2bf8b6ddac02fff963ad062a7f7fc08ee238d680e32eccb741f7875954765a5e86a2cd3ae0be72cd5b773a9c67425dfb106ecef8e285cdf02ad64

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\systweakasp.exe
Filesize
579KB

MD5
8f2ca56d9c7c425facbe535745092ff2

SHA1
f2cbbe9867a40a0928542dace51d8b94957dfcac

SHA256
0c4e44adbd402f42a65bfdd4143a874b76bca9e3a51af3ede9268489e37a8bc4

SHA512
a19cdddd7c9f4bea90e64b03c5f3635d07e25545d35a020ee10de1a79b61748e8673aac179746dce334338d536fdc71ba24479b9cf643e5550ecca3af5c9990e

Download Submit
C:\Program Files (x86)\Tuneup Pro\xmllite.dll
Filesize
124KB

MD5
71a2dca8f626fcef8bff7e2c17c67a7f

SHA1
5aaea93ec3f4d722d7ea0c2d86bc4f3cbdce5c92

SHA256
b55a978443ef0b873875910283bedfab0c3133bac7be72a68ed5146f83f1ef8c

SHA512
5244918679eba6e7af8e367c66c3d1bdcfa2323400994ecda37ccd697fb28b52ffdad992650929ec98b98ae9e0213074368a8881c6a62e48579c30f17051a17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdvancedSystemProtector.exe.log
Filesize
1KB

MD5
24d1f316eaded5f40096bd48a835f459

SHA1
9449af5e38fb69854456b0c15c17370078b32d84

SHA256
390a7a0dd2b090f35f77b9142e0da7788e22fdc3ce56a6cbab2764f38d6be946

SHA512
4c31ff72c858df5f7cc066b100bd98a30acde33c27aeb25c3836ec92b5ad117cb90576722e254430564e25a006640e74a1d62b18ea1ff47d797cdd7f4faf79c4

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Systweak\Advanced System Protector\aspcontexthelper64.dll
Filesize
136KB

MD5
e7059592011dbb3ca2347e8e2e4ba400

SHA1
be5feb87ce963220e19f689489819fd374aab94c

SHA256
d931455afb2a3a282e5b16187e8a94c7d1f0f5df1ba38e3ba46bc58716653ea8

SHA512
72923928018050178f2e10a08b733837180cffa21daec360cb6ec95d4e5099bcfb5e9bdece59684ae2e1e117103762c8dea1d8fb6a645957aef0c29b7f17114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D694T.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDHRN.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDHRN.tmp\systweakasp.tmp
Filesize
1.1MB

MD5
d4fde02fb6b4eb1bebc289aca8289ae9

SHA1
9518abb7827a4e5b0eb52ff9221d1224f23c7e06

SHA256
3f8c455ab5e927d205eaf643f8c045c9115f4081049d1319d8ae9894ef21a397

SHA512
f99e61ef419f88ebc8d48298a5eed91e6ce0440f8ca075947a612d46d2ac9cfb66865c898c86bc8b0224c68eab61c396b414ba4c0fd64c71551c90d22cdded5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNO9O.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNO9O.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NNO9O.tmp\isxdl.dll
Filesize
152KB

MD5
1e95c2a4d1c4f57b67cca6ab4c2c8b91

SHA1
9c9501210b5469c1a390f5f44674dde5ece10b09

SHA256
31163bd401dd84733cb21fd84a25e883082c70640fcc255883b637788a7bed4c

SHA512
9d6cf00fd1a66d044f3e100a29e5154eb68e785be97033d277a6255c69e6fb0340c117299e7c4273053205d44f9fde1353e2aa0f19b3589413fe8c90ccacc8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ODO3O.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ODO3O.tmp\aspsetup.tmp
Filesize
1.2MB

MD5
62ceb818e56ce85ba410f1a290e4d922

SHA1
2165d42d4234e2edfdbf158b12e279b531900af2

SHA256
0d3b947076332280f176f502341cc23a68f110d441d386448f4c7bd6596e405d

SHA512
46df25076588518f9d225d49d41e7d2d3c75705e37fc7a86f0f4a58f24fc897e8fb15a64aa4a27b84923b29f108a876e33b03f2dc54e22380c47091b42787c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OOKFC.tmp\isxdl.dll
Filesize
147KB

MD5
4beded47aa9b07f05a56c0f97331d1a4

SHA1
c2b4df1ad01c5f9b7fb60694312444450f285dbe

SHA256
da171a2e0eec75f372d1fc0a69be17a4a7d519908a6f75b76abe6ec7ab71d284

SHA512
488e68d604259d0d2e546edf45429ace33054dbc71098977e82b43c4c97ba341d1a4bdab4170e48a5178423183bb06ff947149cfbeb8b868b4175996b211cfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PF1FA.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PF1FA.tmp\471ae3d0badd70c95a7dc4e9db4ce001544281e1f6bbcf94131395fcebaa29d5.tmp
Filesize
1.2MB

MD5
3aabfe33f7b23e5b8409647b6b41996f

SHA1
8653690e9d2bae73243a8203b8dc9c34c5163d72

SHA256
706612698e77b203d3058c2edda371cd5425f325bac7fbe0dfb6d8542dc37b4c

SHA512
2e5ff22d9ff1bab18adeaf2ddde9724e1a14c1488fd5e0beed5196cfcad3f2e110588d7166cebe71f72072bc8ddcdee59b5929c3dd163f9b5e02c88a5e584792

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\ASP\aspsetup.exe
Filesize
9.6MB

MD5
baaf358c8ec9eda3dcdf59d500fbaacd

SHA1
9cfabd299a6c438376d1dec3c160f52c3af93738

SHA256
cd8d06443e9284f56755e64742b9d40c2096efc5c83ca3eba2fb93f80ba5401b

SHA512
63a275bd26452d4d89da23136f97b8d3dbf5576fb7849794992106f75ed31f1cc25e058bdfae788f1295a700a89ec2e5c3ccd40ea60a9c26cb2a66e2939c7520

Download Submit
C:\Users\Admin\AppData\Roaming\Systweak\Advanced System Protector\ASPLog.txt
Filesize
123B

MD5
c8174b80c004f0c6aa0c6d4d77ff301b

SHA1
438e4b59b008eacc8ac9328cfb243de3c576986e

SHA256
0fe50c1476d2a73a1ab4abfb77259cbab67cf2afffeb1ff53a0579fc8d71c0aa

SHA512
a4b127158e4d5493bd1c79ca672485806da51519d23e60941cc01f8f67b0042aed9ff605086ee42f1e5964a91b016a3c33e2c84f75335e580370a12deb5f866f

Download Submit
C:\Users\Admin\AppData\Roaming\Systweak\Advanced System Protector\Settings.db
Filesize
40KB

MD5
aac57aacea05e8f2c6e328a69d99ca1e

SHA1
5168b2af8a8d83aac78d06653729df0c52502eef

SHA256
fb74cf7d14be8fe2b0fc1908e6c25f99a5f7f6c6970fa5d272402ccc626ee5bc

SHA512
8b543c47e19a15b79da38f7638e501eeebe16f34e948682070657632a8b9e1bcd7bb086f5e2d667d6d588a721ae963b5f62ab1d23678eaa178c1f6a1c1b6aea4

Download Submit
\??\pipe\LOCAL\crashpad_3444_XKEYWOOTDRJYNRSV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/552-198-0x0000000000000000-mapping.dmp

Download
memory/756-152-0x0000000000000000-mapping.dmp

Download
memory/784-158-0x0000000000000000-mapping.dmp

Download
memory/1084-197-0x0000000000000000-mapping.dmp

Download
memory/1236-141-0x0000000000000000-mapping.dmp

Download
memory/1328-216-0x0000000000000000-mapping.dmp

Download
memory/1332-212-0x0000000000000000-mapping.dmp

Download
memory/1376-199-0x0000000000000000-mapping.dmp

Download
memory/1440-156-0x0000000000000000-mapping.dmp

Download
memory/1584-135-0x0000000000000000-mapping.dmp

Download
memory/1612-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-215-0x0000000000000000-mapping.dmp

Download
memory/2064-139-0x0000000000000000-mapping.dmp

Download
memory/2116-303-0x0000000000000000-mapping.dmp

Download
memory/2672-214-0x0000000000000000-mapping.dmp

Download
memory/2672-196-0x0000000000000000-mapping.dmp

Download
memory/2980-177-0x0000000000000000-mapping.dmp

Download
memory/3032-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-191-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-207-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-186-0x0000000000000000-mapping.dmp

Download
memory/3224-210-0x0000000000000000-mapping.dmp

Download
memory/3260-153-0x0000000000000000-mapping.dmp

Download
memory/3412-192-0x0000000000000000-mapping.dmp

Download
memory/3432-176-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3432-164-0x0000000000000000-mapping.dmp

Download
memory/3432-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3432-294-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3444-140-0x0000000000000000-mapping.dmp

Download
memory/3676-217-0x0000000000000000-mapping.dmp

Download
memory/3780-162-0x0000000000000000-mapping.dmp

Download
memory/3928-202-0x0000000000000000-mapping.dmp

Download
memory/3952-179-0x0000000000000000-mapping.dmp

Download
memory/3996-200-0x0000000000000000-mapping.dmp

Download
memory/4080-168-0x0000000000000000-mapping.dmp

Download
memory/4080-174-0x00000000032E0000-0x000000000330A000-memory.dmp

Filesize
168KB

Download
memory/4088-160-0x0000000000000000-mapping.dmp

Download
memory/4392-218-0x0000000000000000-mapping.dmp

Download
memory/4464-146-0x0000000000000000-mapping.dmp

Download
memory/4496-213-0x0000000000000000-mapping.dmp

Download
memory/4516-183-0x0000000000000000-mapping.dmp

Download
memory/4648-205-0x0000000000000000-mapping.dmp

Download
memory/4756-208-0x0000000000000000-mapping.dmp

Download
memory/4836-195-0x0000000000000000-mapping.dmp

Download
memory/5040-185-0x0000000000000000-mapping.dmp

Download
memory/5076-298-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5076-299-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5076-297-0x0000000000000000-mapping.dmp

Download
memory/5188-219-0x0000000000000000-mapping.dmp

Download
memory/5236-242-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5236-229-0x00000000053A0000-0x0000000005400000-memory.dmp

Filesize
384KB

Download
memory/5236-254-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-255-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-257-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-256-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-269-0x00000000079F0000-0x0000000007A56000-memory.dmp

Filesize
408KB

Download
memory/5236-239-0x00000000070A0000-0x00000000070C2000-memory.dmp

Filesize
136KB

Download
memory/5236-220-0x0000000000000000-mapping.dmp

Download
memory/5236-224-0x0000000000140000-0x000000000094C000-memory.dmp

Filesize
8.0MB

Download
memory/5236-225-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/5236-251-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-250-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-248-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-249-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-247-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-252-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-245-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5236-244-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-243-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-253-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-232-0x0000000006DE0000-0x0000000006E72000-memory.dmp

Filesize
584KB

Download
memory/5236-238-0x0000000006F10000-0x0000000006F4C000-memory.dmp

Filesize
240KB

Download
memory/5236-233-0x0000000006F50000-0x000000000701E000-memory.dmp

Filesize
824KB

Download
memory/5236-246-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/5236-237-0x0000000006EA0000-0x0000000006EBC000-memory.dmp

Filesize
112KB

Download
memory/5420-306-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5420-305-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5420-304-0x0000000000000000-mapping.dmp

Download
memory/5576-307-0x00000000085E0000-0x00000000085F2000-memory.dmp

Filesize
72KB

Download
memory/5576-308-0x0000000008640000-0x000000000867C000-memory.dmp

Filesize
240KB

Download
memory/5776-270-0x0000000000000000-mapping.dmp

Download
memory/5856-271-0x0000000000000000-mapping.dmp

Download
memory/5876-272-0x0000000000000000-mapping.dmp

Download
memory/5984-293-0x0000000008050000-0x000000000805A000-memory.dmp

Filesize
40KB

Download
memory/5984-285-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5984-283-0x0000000010000000-0x000000001017D000-memory.dmp

Filesize
1.5MB

Download
memory/5984-300-0x000000000D610000-0x000000000D644000-memory.dmp

Filesize
208KB

Download
memory/5984-302-0x0000000010BE0000-0x0000000011386000-memory.dmp

Filesize
7.6MB

Download
memory/5984-296-0x000000000BAF0000-0x000000000BB12000-memory.dmp

Filesize
136KB

Download
memory/5984-295-0x000000000BA20000-0x000000000BA42000-memory.dmp

Filesize
136KB

Download
memory/5984-301-0x000000000D650000-0x000000000D672000-memory.dmp

Filesize
136KB

Download
memory/5984-273-0x0000000000000000-mapping.dmp

Download
memory/6072-289-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/6072-284-0x0000000000000000-mapping.dmp

Download
memory/6072-292-0x0000000004BD0000-0x0000000004C70000-memory.dmp

Filesize
640KB

Download